Resource Groups not being created by polaris_azure_subscription

[DamaniN]

Expected Behavior

When adding a subscription to Azure an RSC generated resource group is supposed to be crated in the subscription that is being added. New snapshots are then stored in this resource group.

Current Behavior

New snapshots are failing on Terraform added subscriptions stating that the resource group cannot be found for the snapshot.

Failure Information (for bugs)

This is a sample error that was received:

Error running task 8: unable to create virtual machine snapshot (Error RBK30100039: Unable to perform the operation as the resource group doesn't exist. Possible cause: (Azure reported an error: ResourceGroupNotFound - failed to create snapshot of disk '/subscriptions/<REDACTED>/resourceGroups/<REDACTED>/providers/Microsoft.Compute/disks/<REDACTED>-os-disk' with name 'Rubrik-Snapshot-VM-<REDACTED>' in resource group 'RubrikBackups-RG-DontDelete-<REDACTED>': PUT https://management.azure.com/subscriptions/<REDACTED>/resourceGroups/RubrikBackups-RG-DontDelete-<REDACTED>/providers/Microsoft.Compute/snapshots/Rubrik-Snapshot-VM-<REDACTED>

Steps to Reproduce

1. Add a subscription using the following resource definition:

resource "polaris_azure_subscription" "subscription" {
  subscription_id = var.azure_subscription_id
  subscription_name = var.subscription_name
  tenant_domain   = "<REDACTED>.onmicrosoft.com"  #polaris_azure_service_principal.default.tenant_domain

  delete_snapshots_on_destroy = true

  cloud_native_protection {
    regions = [
      "eastus2",
      "centralus"
    ]
  }
}

2. Try to take a backup of a VM in the newly added subscription.

Context

Please provide any relevant information about your setup. This is important in case the issue is not reproducible except for under certain conditions.

• Version of project = v0.7.0
• Version of dependencies = N/A
• Version of operating system = N/A

Failure Logs

See above

[johan3141592]

Duplicate of https://github.com/rubrikinc/terraform-provider-polaris/issues/88

[DamaniN]

@johan3141592, this is a different issue. #88 asks for custom resource groups to be created. This is issue is a bug where the resource groups are not created at all, even the default ones.

[johan3141592]

@DamaniN I see, thank you for clarifying. I think we need to raise a ticked for RSC to have this fixed, the TF provider doesn't do anything special to have resource groups created.

[pmilano1]

Has anyone created a Jira for ENG to look into this? This is an issue in the UI as well?

[DamaniN]

@pmilano1, not at this point. The thought was to get the granular permissions issues worked out with the provider first and see if that resolves the issue. If it doesn't, then we would pursue this with Engineering.

[johan3141592]

@DamaniN and @pmilano1, I have experimented with this today and can confirm that the resource group is not created when onboarding a subscription without specifying a resource group. According to engineering this is the expected behaviour. Fortunately the support for custom resource groups just landed in the latest beta release (v0.9.0-beta.1), specifying an existing resource group using resource_group_name and resource_group_region work around this problem. I've successfully taken snapshots of Azure VMs and have them stored in the custom resource group. Note, AZURE_SQL_DB_PROTECTION and AZURE_SQL_MI_PROTECTION does not support custom resource groups in RSC, we might need to investigate further if those features still are affected.

[johan3141592]

@DamaniN and @pmilano1 can we close this? I don't believe this is an issue with the TF provider. When manually onboarding a subscription using the UI and the Configure without OAuth workflow, the wizard explicitly prompts you to confirm that the resource groups you've entered already exist in Azure, i.e. they won't be created by RSC.

It's not possible to onboard a subscription without specifying a resource group using the UI.

[DamaniN]

@johan3141592, the provider wasn't giving us a way to configure RSC since it didn't provide a method to specify the Resource Group. Now that it does, this ticket can be closed. Please reference the commit that adds the specification of the resource groups to this ticket when you close it.

[johan3141592]

Commit 1f1b81752d30340b67811ef3faee8e603ed4b3d0 adds support for specifying resource groups to the TF provider. Commit d1242552a36a730289cde2255ba778a29fd04ecd improves the resource group documentation. It was first introduced in the v0.9.0-beta.1 release, however, using the latest beta probably makes more sense.